IaC Scanning

Join the Preview!

Static Infrastructure as Code (IaC) scanning is in Preview. To request access, complete the form.

Request Access

Static Infrastructure as Code (IaC) scanning integrates with version control systems, such as GitHub, to detect misconfigurations in cloud resources defined by Terraform. The scanning results are displayed in two primary locations: within pull requests during code modifications and on the Explorers page within Cloud Security Management.

CSM Explorers page displaying detected misconfigurations in cloud resources

When you click on a finding, the side panel reveals additional details, including a short description of the IaC rule related to the finding and a preview of the offending code.

Finding side panel highlighting undefined EBS volume encryption in Terraform code.

Supported providers

  • Version control system: GitHub
  • Infrastructure as code tool: Terraform

Setup

Set up the GitHub integration

Follow the instructions for creating a GitHub app for your organization.

To use IaC scanning, you must give the GitHub App Read & Write permissions for Contents and Pull Requests. These permissions can be applied to all or select repositories.

Enable IaC scanning for your repositories

After you set up the GitHub integration, enable IaC scanning for the repositories in your GitHub account.

  1. On the CSM Setup page, expand the Source Code Integrations section.
  2. Click Configure for the GitHub account you want to configure.
  3. To enable IaC scanning:
    • All repositories: Toggle Enable Infrastructure as Code (IaC) Scanning to the on position.
    • Single repository: Toggle the IAC Scanning option for the specific repository to the on position.